The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. WordPress Auto-Updates: What do you have to lose? (Wordfence, Aug 07 2020)
A new feature that will allow automatic updating of plugins and themes will be available in WordPress version 5.5, which is scheduled to be released on August 11, 2020. In this core release of the world’s most popular content management system, site owners will have the option to turn auto-updates on for individual plugins and…
2. The US Government Is Spamming Random Iranians and Russians With Text Messages (VICE, Aug 07 2020)
The State Department is begging random Russians and Iranians for information about election interference, by spamming them with SMS messages.
3. Chinese Researchers Show How They Remotely Hacked a Mercedes-Benz (SecurityWeek, Aug 07 2020)
The researchers disassembled the center panel and analyzed the car’s head unit, telematics control unit (TCU), and the backend. In the file system of the vehicle’s TCU, to which they gained access by obtaining an interactive shell with root privileges, they uncovered passwords and certificates for the backend server.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~16,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Over a Billion Android Devices Are at Risk of Data Theft (Wired, Aug 10 2020)
Qualcomm has released a fix for the flaws in its Snapdragon chip, which attackers might exploit to monitor location or render the phone unresponsive.
5. Hackers Could Use IoT Botnets to Manipulate Energy Markets (Wired, Aug 04 2020)
With access to just 50,000 high-wattage smart devices, attackers could make a bundle off of causing minor fluctuations.
6. A Hacker’s guide to reducing side-channel attack surfaces using deep-learning (Elie Bursztein’s blog, Aug 06 2020)
In recent years, Side-Channel Attacks Assisted with Machine Learning aka SCAAML have been proven a very effective approach to carry-out side-channel attacks even against the toughest hardware cryptographic implementations in a semi-automatic manner.
Building on this line of work, this talk showcases how to take it a step further and demonstrates how to combine the recent advances in deep-learning explainability with dynamic execution to quickly assess which parts of a hardware cryptographic implementation are responsible for leaking the information exploited by a given side-channel attack.
*Cloud Security, DevOps, AppSec*
7. Facebook open-sources a static analyzer for Python code (Help Net Security, Aug 10 2020)
Need a tool to check your Python-based applications for security issues? Facebook has open-sourced Pysa (Python Static Analyzer), a tool that looks at how data flows through the code and helps developers prevent data flowing into places it shouldn’t.
8. How to secure DevOps (Cloud Security Alliance, Aug 12 2020)
Last month, IT news websites reported that RubyGems, the official channel for distributing libraries for the Ruby programming language, had been poisoned. An attacker uploaded fake packages containing a malicious script, so all programmers who used the code in their projects unwittingly infected users’ computers with malware that changed cryptocurrency wallet addresses.
9. Introducing the Google Cloud Security Showcase (Google Cloud Blog, Aug 07 2020)
The Google Cloud Security Showcase is a video resource that’s focused on solving security problems and helping you create a safer cloud deployment. The showcase currently has almost 50 step-by-step videos on specific security challenges or use cases—complete with actionable information to help you solve that specific issue—so there’s sure to be something for every security professional. In this blog we’ll highlight some of these use cases and example videos across major security domains to show what the Google Cloud Security Showcase is and how it can help you.
*Identity Mgt & Web Fraud*
10. NJ Supreme Court: No 5th Amendment right not to unlock your phone (Ars, Aug 11 2020)
Courts are split on whether phone unlocking orders violate the Fifth Amendment.
11. Hacked Data Broker Accounts Fueled Phony COVID Loans, Unemployment Claims (Krebs on Security, Aug 06 2020)
A group of thieves thought to be responsible for collecting millions in fraudulent small business loans and unemployment insurance benefits from COVID-19 economic relief efforts gathered personal data on people and businesses they were impersonating by leveraging several compromised accounts at a little-known U.S. consumer data broker, KrebsOnSecurity has learned.
12. A Private Equity Firm Bought Ancestry, and Its Trove of DNA, for $4.7B (VICE, Aug 07 2020)
Blackstone, which says it will not have access to people’s data, acquired the genealogy and home DNA testing company from a group of other investment firms.
13. Black Hat Wrap-Up: IoT and Hardware Vulnerabilities Take the Spotlight (SecurityWeek, Aug 10 2020)
The first entirely virtual edition of the Black Hat cybersecurity conference took place last week and researchers from tens of organizations presented the results of their work from the past year.
14. USA decides to cleanse local networks of anything Chinese under new five-point national data security plan (The Register, Aug 10 2020)
‘Clean Network’ initiative bans use of Chinese clouds, names Alibaba, Baidu, and Tencent as compromised
15. DEF CON 2020 Wrap-Up: Hacking Phones, Cars and Satellites (SecurityWeek, Aug 11 2020)
Tens of researchers showcased their work last week at the DEF CON hacking conference. They presented research on hacking phones, cars, satellite communications, traffic lights, smart home devices, printers, and popular software services, among many others